tags:

views:

124

answers:

5
+1  Q: 

php - safest way to ensure plain text

What is the most secure way to stop users adding html or javascript to a field. I am adding a youtube style 'description' where users can explain their work but I don't want anything other than plain text in there and preferable none of the htmlentities rubbish like '<' or '>'.

Could I do something like this:

$clean = htmlentities($_POST['description']);

if ($clean != $_POST['description']) ... then return the form with an error?
+5  A: 

Have you seen strip_tags?

Daniel A. White  2010-01-08 17:38:22
You all answered in the same minute, but according to 'oldest' you were first. But thank you all for your answers.
Mark  2010-01-08 17:57:20
+2  A: 

strip_tags() would probably be the best bet.

You don't need to check the cleaned code vs the original and throw an error. As long as it is cleaned, you should be able to display it. Just throw away the original comment. You can put a note under the textbox saying that no html is allowed if you want to make it more user friendly.

Cryophallion  2010-01-08 17:38:23
+2  A: 

Use strip_tags() instead htmlentities().
And the method is ok.

hsz  2010-01-08 17:38:53
A: 

Also don't forget mysql_real_escape_string() if you are storing data in MySQL.

amindzx  2010-01-08 17:59:15
+1  A: 

htmlspecialchars(), if used properly (see comments), is the safest way to ensure plain text. There is no way to inject any HTML or JavaScript when the output has all the HTML special characters escaped. If you use strip_tags, you will prevent your users from using completely legitimate characters.

Ignas R  2010-01-08 18:09:42
@Ignas - This is wrong, using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.
Jay Zeng  2010-01-08 18:27:10
Then, doesn't it also mean that `strip_tags` is also vulnerable to that? But anyway, thanks. I've corrected my answer.
Ignas R  2010-01-08 19:32:29
@Ignas - I honestly don't know if strip_tags() is vulnerable as well as it doesn't take encoding as parameter. I will have to play around this :)
Jay Zeng  2010-01-09 02:53:10

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases